我已经正确分配了所有角色,但我的代码实施仅遇到问题。我在一个子帐户中,存储了lambda函数,该函数应遍历所有其他子帐户,以将所需信息写入CSV文件中。不幸的是,问题是我从另一个子帐户而不是从存储lambda函数的帐户获得信息。我究竟做错了什么?
def lambda_handler(event,context):
def assume_role(acc_nmbr, role_n):
sts_client = boto3.client('sts')
partition = sts_client.get_caller_identity()['Arn'].split(":")[1]
response = sts_client.assume_role(
RoleArn='arn:{}:iam::{}:role/{}'.format(
partition,
acc_nmbr,
role_n
),
RoleSessionName='MySession'
)
#boto3 session
s = boto3.Session(
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken']
)
print("Session for: {}.".format(acc_nmbr))
return s
#environment information
start = os.environ['Start']
end = os.environ['End']
#list of all accounts
aIds = {
#"123456789101"
"210987654321"
"546987456413"
}
#api connection
client = boto3.client('ce')
for acc in aIds:
s = assume_role(acc, "role")
client = s.client('ce')
response = client.get_cost_and_usage(
TimePeriod={
'Start': start,
'End': end
},
Granularity='MONTHLY',
Metrics=['BlendedCost'],
GroupBy=[
{
'Type': 'TAG',
'Key': 'Project'
},
]
)
#write csv
with open("/tmp/c.csv", "a+") as f:
c = csv.writer(f)
c.writerow(["Start", "End", "Cost"])
for result in response['ResultsByTime']:
start = result['TimePeriod']['Start']
end = result['TimePeriod']['End']
total_cost = 0.0
for group in result['Groups']:
cost = group['Metrics']['BlendedCost']['Amount']
total_cost += float(cost)
c.writerow([
start,
end,
total_cost
])
#s3
client = boto3.client('s3')
client.upload_file('/tmp/c.csv', 'bucket_name','final.csv')
有趣的是,如果我从第一个帐户中删除列表aIds中的注释,尽管这是存储lambda函数的帐户,但我收到acces拒绝错误。